Abstract
This paper studies hybrid contract verification for an imperative higher-order language based on a so-called manifest contract system. In manifest contract systems, contracts are part of static types and contract verification is hybrid in the sense that some contracts are statically verified, typically by subtyping, but others are dynamically by casts. It is, however, not trivial to extend existing manifest contract systems, which have been designed mostly for pure functional languages, to imperative features, mainly because of the lack of flow-sensitivity, which should be taken into account in verifying imperative programs statically.
We develop an imperative higher-order manifest contract system λrefH for flow-sensitive hybrid contract verification. We introduce a computational variant of Nanevski et al's Hoare types, which are flow-sensitive types to represent pre- and postconditions of impure computation. Our Hoare types are computational in the sense that pre- and postconditions are given by Booleans in the same language as programs so that they are dynamically verifiable. λrefH also supports refinement types as in existing manifest contract systems to describe flow-insensitive, state-independent contracts of pure computation. While it is desirable that any-possibly state-manipulating-predicate can be used in contracts, abuse of stateful operations will break the system. To control stateful operations in contracts, we introduce a region-based effect system, which allows contracts in refinement types and computational Hoare types to manipulate states, as long as they are observationally pure and read-only, respectively. We show that dynamic contract checking in our calculus is consistent with static typing in the sense that the final result obtained without dynamic contract violations satisfies contracts in its static type. It in particular means that the state after stateful computations satisfies their postconditions.
As in some of prior manifest contract systems, static contract verification in this work is "post facto," that is, we first define our manifest contract system so that all contracts are checked at run time, formalize conditions when dynamic checks can be removed safely, and show that programs with and without such removable checks are contextually equivalent. We also apply the idea of post facto verification to region-based local reasoning, inspired by the frame rule of Separation Logic.
Supplemental Material
Available for Download
Proofs of the metatheory, in particular, type soundness and static contract verification, of our imperative higher-order manifest contract calculus.
- B. Alpern, M. N. Wegman, and F. K. Zadeck. Detecting equality of variables in programs. In Proc. of ACM POPL, pages 1–11, 1988. Google Scholar
Digital Library
- A. Banerjee, D. A. Naumann, and S. Rosenberg. Regional logic for local reasoning about global invariants. In Proc. of ECOOP, pages 387–411, 2008. Google Scholar
Digital Library
- J. F. Belo, M. Greenberg, A. Igarashi, and B. C. Pierce. Polymorphic contracts. In Proc. of ESOP, pages 18–37, 2011. Google Scholar
Digital Library
- J. Bengtson, J. B. Jensen, F. Sieczkowski, and L. Birkedal. Verifying object-oriented programs with higher-order Separation logic in Coq. In Proc. of Interactive Theorem Proving, pages 22–38, 2011. Google Scholar
Digital Library
- G. M. Bierman, A. D. Gordon, C. Hrit¸cu, and D. Langworthy. Semantic subtyping with an SMT solver. In Proc. of ACM ICFP, pages 105–116, 2010. Google Scholar
Digital Library
- M. Blume and D. A. McAllester. Sound and complete models of contracts. J. Funct. Program., 16(4-5):375–414, 2006. Google Scholar
Digital Library
- A. Borgida, J. Mylopoulos, and R. Reiter. On the frame problem in procedure specifications. IEEE Trans. Software Eng., 21(10):785–798, 1995. Google Scholar
Digital Library
- C. Calcagno, S. Helsen, and P. Thiemann. Syntactic type soundness results for the region calculus. Inf. Comput., 173(2):199–221, 2002. Google Scholar
Digital Library
- O. Chitil. Practical typed lazy contracts. In Proc. of ACM ICFP, pages 67–76, 2012. Google Scholar
Digital Library
- D. Clarke, J. Östlund, I. Sergey, and T. Wrigstad. Ownership types: A survey. In Aliasing in Object-Oriented Programming. Types, Analysis and Verification, pages 15–58. 2013.. Google Scholar
Digital Library
- D. G. Clarke, J. Potter, and J. Noble. Ownership types for flexible alias protection. In Proc. of ACM OOPSLA, pages 48–64, 1998. Google Scholar
Digital Library
- W. Dietl and P. Müller. Object ownership in program verification. In Aliasing in Object-Oriented Programming. Types, Analysis and Verification, pages 289–318. 2013.. Google Scholar
Digital Library
- C. Dimoulas, S. Tobin-Hochstadt, and M. Felleisen. Complete monitors for behavioral contracts. In Proc. of ESOP, pages 214–233, 2012. Google Scholar
Digital Library
- T. Disney, C. Flanagan, and J. McCarthy. Temporal higher-order contracts. In Proc. of ACM ICFP, pages 176–188, 2011. Google Scholar
Digital Library
- D. Dreyer, K. Crary, and R. Harper. A type system for higher-order modules. In Proc. of ACM POPL, pages 236–249, 2003. Google Scholar
Digital Library
- R. B. Findler and M. Felleisen. Contracts for higher-order functions. In Proc. of ACM ICFP, pages 48–59, 2002. Google Scholar
Digital Library
- R. B. Findler, S. Guo, and A. Rogers. Lazy contract checking for immutable data structures. In Proc. of IFL, pages 111–128, 2007. Google Scholar
Digital Library
- C. Flanagan. Hybrid type checking. In Proc. of ACM POPL, pages 245–256, 2006. Google Scholar
Digital Library
- C. Flanagan, S. N. Freund, and A. Tomb. Hybrid types, invariants, and refinements for imperative objects. In ACM FOOL/WOOD, 2006.Google Scholar
- C. S. Gordon, M. D. Ernst, and D. Grossman. Rely-guarantee references for refinement types over aliased mutable data. In Proc. of ACM PLDI, pages 73–84, 2013. Google Scholar
Digital Library
- M. Greenberg. Manifest Contracts. PhD thesis, University of Pennsylvania, 2013. Google Scholar
Digital Library
- M. Greenberg, B. C. Pierce, and S. Weirich. Contracts made manifest. In Proc. of ACM POPL, pages 353–364, 2010. Google Scholar
Digital Library
- J. Gronski, K. Knowles, A. Tomb, S. N. Freund, and C. Flanagan. Sage: Hybrid checking for flexible specifications. In Scheme and Functional Programming Workshop, pages 93–104, 2006.Google Scholar
- D. Herman, A. Tomb, and C. Flanagan. Space-efficient gradual typing. In Trends in Functional Prog. (TFP), pages 1–18, 2007.Google Scholar
- R. Hinze, J. Jeuring, and A. Löh. Typed contracts for functional programming. In Proc. of FLOPS, pages 208–225, 2006. Google Scholar
Digital Library
- C. A. R. Hoare. An axiomatic basis for computer programming. Commun. ACM, 12(10):576–580, 1969. Google Scholar
Digital Library
- I. T. Kassios. Dynamic frames: Support for framing, dependencies and sharing without restrictions. In Proc. of Formal Methods, pages 268–283, 2006. Google Scholar
Digital Library
- I. T. Kassios. The dynamic frames theory. Formal Asp. Comput., 23 (3):267–288, 2011. Google Scholar
Digital Library
- K. Knowles and C. Flanagan. Compositional reasoning and decidable checking for dependent contract types. In Proc. of ACM PLPV, pages 27–38, 2009. Google Scholar
Digital Library
- K. Knowles and C. Flanagan. Hybrid type checking. ACM Trans. Program. Lang. Syst., 32(2:6), 2010. Google Scholar
Digital Library
- J. M. Lucassen and D. K. Gifford. Polymorphic effect systems. In Proc. of ACM POPL, pages 47–57, 1988. Google Scholar
Digital Library
- R. McNaughton and H. Yamada. Regular expressions and state graphs for automata. IEEE Trans. Electron. Comput., 9:39–47, 1960.Google Scholar
Cross Ref
- B. Meyer. Object-Oriented Software Construction, 1st Edition. Prentice-Hall, 1988. ISBN 0-13-629031-0. Google Scholar
Digital Library
- Microsoft Corporation. TypeScript language specification.Google Scholar
- E. Moggi. Computational lambda-calculus and monads. In Proc. of LICS, pages 14–23, 1989. Google Scholar
Digital Library
- E. Moggi. Notions of computation and monads. Inf. Comput., 93(1): 55–92, 1991. Google Scholar
Digital Library
- A. Nanevski and G. Morrisett. Dependent type theory of stateful higher-order functions. Technical Report TR-24-05, Harvard University, 2005.Google Scholar
- A. Nanevski, G. Morrisett, and L. Birkedal. Polymorphism and separation in Hoare Type Theory. In Proc. of ACM ICFP, pages 62–73, 2006. Google Scholar
Digital Library
- A. Nanevski, A. Ahmed, G. Morrisett, and L. Birkedal. Abstract predicates and mutable ADTs in Hoare type theory. In Proc. of ESOP, pages 189–204, 2007. Google Scholar
Digital Library
- P. C. Nguyen, S. Tobin-Hochstadt, and D. Van Horn. Soft contract verification. In Proc. of ACM ICFP, pages 139–152, 2014. Google Scholar
Digital Library
- P. W. O’Hearn, J. C. Reynolds, and H. Yang. Local reasoning about programs that alter data structures. In Proc. of CSL, pages 1–19, 2001. Google Scholar
Digital Library
- X. Ou, G. Tan, Y. Mandelbaum, and D. Walker. Dynamic typing with dependent types. In Theor. Comput. Sci., pages 437–450, 2004.Google Scholar
Cross Ref
- M. J. Parkinson and G. M. Bierman. Separation logic for objectoriented programming. In Aliasing in Object-Oriented Programming. Types, Analysis and Verification, pages 366–406. 2013.. Google Scholar
Digital Library
- B. C. Pierce. Types and Programming Languages. The MIT Press, 2002. Google Scholar
Digital Library
- J. C. Reynolds. Separation logic: A logic for shared mutable data structures. In Proc. of LICS, pages 55–74, 2002. Google Scholar
Digital Library
- P. M. Rondon, M. Kawaguchi, and R. Jhala. Liquid types. In Proc. of ACM PLDI, pages 159–169, 2008. Google Scholar
Digital Library
- B. K. Rosen, M. N. Wegman, and F. K. Zadeck. Global value numbers and redundant computations. In Proc. of ACM POPL, pages 12–27, 1988. Google Scholar
Digital Library
- T. Sekiyama, Y. Nishida, and A. Igarashi. Manifest contracts for datatypes. In Proc. of ACM POPL, pages 195–207, 2015. Google Scholar
Digital Library
- T. Sekiyama, A. Igarashi, and M. Greenberg. Polymorphic manifest contracts, revised and resolved, 2016. Submitted for publication.Google Scholar
- J. G. Siek, M. M. Vitousek, M. Cimini, S. Tobin-Hochstadt, and R. Garcia. Monotonic references for efficient gradual typing. In Proc. of ESOP, pages 432–456, 2015. Google Scholar
Digital Library
- J. Smans, B. Jacobs, and F. Piessens. Implicit dynamic frames: Combining dynamic frames and Separation logic. In Proc. of ECOOP, pages 148–172, 2009. Google Scholar
Digital Library
- J. Smans, B. Jacobs, and F. Piessens. VeriFast for Java: A tutorial. In Aliasing in Object-Oriented Programming. Types, Analysis and Verification, pages 407–442. 2013.. Google Scholar
Digital Library
- M. H. Sørensen and U. Pawel. Lectures on the Curry-Howard Isomorphism, Volume 149 (Studies in Logic and the Foundations of Mathematics). Elsevier, New York, NY, USA, 2006. ISBN 0444520775.Google Scholar
- T. S. Strickland and M. Felleisen. Contracts for first-class classes. pages 97–112, 2010.Google Scholar
- T. S. Strickland, S. Tobin-Hochstadt, R. B. Findler, and M. Flatt. Chaperones and impersonators: Run-time support for reasonable interposition. In Proc. of ACM SPLASH/OOPSLA, pages 943–962, 2012. Google Scholar
Digital Library
- N. Swamy, J. Weinberger, C. Schlesinger, J. Chen, and B. Livshits. Verifying higher-order programs with the dijkstra monad. In Proc. of ACM PLDI, pages 387–398, 2013. Google Scholar
Digital Library
- N. Swamy, C. Hritcu, C. Keller, A. Rastogi, A. Delignat-Lavaud, S. Forest, K. Bhargavan, C. Fournet, P. Strub, M. Kohlweiss, J. K. Zinzindohoue, and S. Z. Béguelin. Dependent types and multimonadic effects in F ∗. In Proc. of ACM POPL, pages 256–270, 2016. Google Scholar
Digital Library
- A. Takikawa, T. S. Strickland, and S. Tobin-Hochstadt. Constraining delimited control with contracts. In Proc. of ESOP, pages 229–248, 2013. Google Scholar
Digital Library
- S. Tobin-Hochstadt and D. Van Horn. Higher-order symbolic execution via contracts. In Proc. of ACM SPLASH/OOPSLA, pages 537– 554, 2012. Google Scholar
Digital Library
- M. Tofte and J.-P. Talpin. Implementation of the type call-by-value λ-calculus using a stack of regions. In Proc. of ACM POPL, pages 188–201, 1994. Google Scholar
Digital Library
- J. A. Tov and R. Pucella. Stateful contracts for affine types. In Proc. of ESOP, pages 550–569, 2010. Google Scholar
Digital Library
- N. Vazou, P. M. Rondon, and R. Jhala. Abstract refinement types. In Proc. of ESOP, pages 209–228, 2013. Google Scholar
Digital Library
- P. Vekris, B. Cosman, and R. Jhala. Refinement types for typescript. In Proc. of ACM PLDI, pages 310–325, 2016. Google Scholar
Digital Library
- P. Wadler. The essence of functional programming. In Proc. of ACM POPL, pages 1–14, 1992. Google Scholar
Digital Library
- P. Wadler and R. B. Findler. Well-typed programs can’t be blamed. In Proc. of ESOP, pages 1–16, 2009. Google Scholar
Digital Library
- P. Wadler and P. Thiemann. The marriage of effects and monads. ACM Trans. Comput. Log., 4(1):1–32, 2003. Google Scholar
Digital Library
- A. K. Wright and M. Felleisen. A syntactic approach to type soundness. Inf. Comput., 115(1):38–94, 1994. Google Scholar
Digital Library
- H. Xi. Applied type system: Extended abstract. In TYPES, pages 394– 408, 2003.Google Scholar
- H. Xi. Dependent ML An approach to practical programming with dependent types. J. Funct. Program., 17(2):215–286, 2007. Google Scholar
Digital Library
- H. Xi and F. Pfenning. Dependent types in practical programming. In Proc. of ACM POPL, pages 214–227, 1999. Google Scholar
Digital Library
- D. N. Xu. Hybrid contract checking via symbolic simplification. In Proc. of ACM PEPM, pages 107–116, 2012. Google Scholar
Digital Library
- D. N. Xu, S. L. Peyton Jones, and K. Claessen. Static contract checking for Haskell. In Proc. of ACM POPL, pages 41–52, 2009. Google Scholar
Digital Library
Index Terms
Stateful manifest contracts
Recommendations
Stateful manifest contracts
POPL '17: Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming LanguagesThis paper studies hybrid contract verification for an imperative higher-order language based on a so-called manifest contract system. In manifest contract systems, contracts are part of static types and contract verification is hybrid in the sense that ...
Polymorphic Manifest Contracts, Revised and Resolved
Manifest contracts track precise program properties by refining types with predicates—for example, {x:Int∣ x > 0} denotes the positive integers. Contracts and polymorphism make a natural combination: programmers can give strong contracts to abstract ...
Polymorphic contracts
ESOP'11/ETAPS'11: Proceedings of the 20th European conference on Programming languages and systems: part of the joint European conferences on theory and practice of softwareManifest contracts track precise properties by refining types with predicates--e.g., {x:Int | x > 0} denotes the positive integers. Contracts and polymorphism make a natural combination: programmers can give strong contracts to abstract types, precisely ...







Comments